To describe hardening, we will compare your computer system to a medieval castle. You want to protect yourself from the bad guys so you build a strong castle with high, thick walls. If you are the bad guy you want to find the weakest spot and exploit that vulnerability. You aren’t going to try to penetrate a thick stone wall if there is a thin wooden door take advantage of. If you are an avid movie watcher, I’m sure you’ve seen movies where the secret sewer tunnel allows someone through! The point of hardening your system is to make it hard to penetrate the system by reducing the attack surface.

There are many different “thin doors” and “sewer tunnels” that a bad guy might try to penetrate. Here is list of some things you can do to harden a system:

Some steps to hardening systems (parts of a standard policy):

Apply company security template and configuration baselines

Company defined configuration settings should be more secure than out-of-the-box settings

Close unnecessary network ports

If you never use the “door” seal it off

Install only needed software, remove everything else

Software can open other doorways for the bad buys

Disable all non-required/unused services

Not typically configured/secured correctly and can sustain attacks that go unnoticed

Network based patch management

Push patches to the client instead of hoping they patch themselves

Limit administrative privileges

Don’t give too many people the keys to the castle

Install a strong software firewall

Check all the traffic coming in and out of your castle

Apply all system patches and service packs

Hotfixes, patches, and service packs obtained from the manufacturer’s website will often address security weaknesses

The most recent manufacturer updates and patches to the server will seal off newly discovered vulnerabilities

Default passwords in hardware and software should be changed

The bad guys can find the documented default passwords and gain administrative access to your systems if you don’t change them!

Real world note: The ATM machines that many people use for various banking purposes have been exploited due to default passwords not being changed upon installation. Systems ranging from a grandma’s home system to powerful government servers have been exploited due to uninstalled security patches. Many sad stories can be avoided by hardening your systems properly.

Comptia expects you to know all the things on this list, some of which are described in more detail in the upcoming posts.